Link package | bugs open | bugs closed | Wiki | GitHub | web search
Description A high-level Python Web framework that encourages rapid development and clean design
Version 2.0.6-1 [extra]


Group Affected Fixed Severity Status Ticket
AVG-649 1.11.10-1 1.11.11-1 Medium Fixed
AVG-624 1.11.8-1 1.11.10-1 Medium Fixed
AVG-233 1.10.3-2 1.11-1 Medium Fixed
AVG-57 1.10.2-1 1.10.3-1 High Fixed
AVG-35 1.9.9-1 1.10.1-1 Medium Fixed
Issue Group Severity Remote Type Description
CVE-2018-7537 AVG-649 Medium Yes Denial of service
If django.utils.text.Truncator’s chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to...
CVE-2018-7536 AVG-649 Medium Yes Denial of service
The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular...
CVE-2018-6188 AVG-624 Medium Yes Information disclosure
A regression in Django 1.11.8 and 1.11.9 before 1.11.10 and 2.0 before 2.0.2 made AuthenticationForm run its confirm_login_allowed() method even if an...
CVE-2017-7234 AVG-233 Medium Yes Open redirect
A maliciously crafted URL to a Django site using the serve() view could redirect to any other domain. The view no longer does any redirects as they don’t...
CVE-2017-7233 AVG-233 Medium Yes Cross-site scripting
Django relies on user input in some cases (e.g. django.contrib.auth.views.login() and i18n) to redirect the user to an “on success” URL. The security check...
CVE-2016-9014 AVG-57 High Yes Access restriction bypass
Older versions of Django don't validate the Host header against settings.ALLOWED_HOSTS when settings.DEBUG=True. This makes them vulnerable to a DNS...
CVE-2016-9013 AVG-57 High Yes Authentication bypass
When running tests with an Oracle database, Django creates a temporary database user. In older versions, if a password isn't manually specified in the...
CVE-2016-7401 AVG-35 Medium Yes Cross-site request forgery
Sergey Bobrov found a vulnerability where an interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary...


Date Advisory Group Severity Description
06 Mar 2018 ASA-201803-5 AVG-649 Medium denial of service
06 Apr 2017 ASA-201704-2 AVG-233 Medium multiple issues
16 Nov 2016 ASA-201611-15 AVG-57 High multiple issues
21 Oct 2016 ASA-201610-13 AVG-35 Medium cross-site request forgery